I’ve got a client running a single server (SBS2003) sitting behind a SonicWall TZ 180 Enhanced. The server got infected a while ago, and we removed the infections (I thought), but found that it was pushing data up to someplace on the internet. Disabling NetBIOS resolved that issue, but when I re-enable it, it starts back up.

Now, the server has started the same type of thing, uploading mainly to two specific addresses:

There is one and only one way to take care of a stubborn malware infection: “format c: /FS:NTFS /V:nosoupforyou /X”

Seriously. It’s ugly, but it can get even uglier if you start ripping things out with HijackThis. Chances are, things are unalterably damaged and you’ll continue to have problems until you reformat and reinstall. :(

I’m not sure that you have an infection. The 229.111.112.12 ip address is a multicast address which is not external to your network and is not routable. This particular address appears to be tied to some MegaRaid controller software which coincides with your HiJackThis results.

As for the second ip address, do you have a proxy server or ISA server in your network?

Can you post the results of netstat -a -n?

Also, if you run netstat -a -b -n -o you’ll see the processes and PID’s associated with each connection which might give you a clue as to what’s going on.

What is the purpose/function of a multicast address (sorry, either don’t remember or haven’t gotten that far yet)? Why would the RAID management software need to be accessing it? If it’s not external to my network, and I don’t have anything of that IP scheme on my network, where is it? Hopefully this doesn’t come across as rude, I’m just trying to learn right now and this site has definitely helped a lot. I’ve attached the outputs of the ‘netstat’ commands, each command in their own .txt file.

A multicast address is a class D address that is primarily used to communicate with members of multicast groups or to broadcast a service such as a router advertisement or query. All hosts listen for traffic sent to certain multicast addresses. The MegaRaid software may be sending these packets to communicate with a management console, management software, or to broadcast it’s existence to other servers. It seems pretty normal to me as you’ll normally see some multicast traffic in most modern networks.

The two netstat files look fairly OK to me. I’m guessing that this server is:

I enabled multicast on the SonicWall with access only to the address 229.111.112.12 and for right now it seems ok, when i put the address in, it forced me to select multicast for the zone…more comfort on my part. Now my only issue is the second address.

AFAIK, you don’t need to allow access to the multicast address in your firewall as the multicast address is for internal communication and not intended for external hosts. As such the traffic will “stay” on your LAN. The firewall will see the traffic because all hosts have to listen to multicast traffic to determine if it pertains to them or not. If it doesn’t pertain to them they drop the multicast traffic. Your firewall should simply drop or ignore the multicast traffic.

Have you run a recent netstat to see if the other ip address is in the output?

If the ip address doesn’t show in netstat then there’s no connection to or from that ip address. I would keep an eye out by periodically running netstat and checking your firewall logs to see if you see anything funny.

Its very simple ! First of all check that for whether your ISP is using dynamic or static IP ? Secondly figure out that the encryption method for XP, Vista and the router should all be same. That means WPA or WPA-2 personal etc.
Don’t forget to connect the LAN cable for the first use with XP otherwise your netwrok wil not work.

Its very simple ! First of all check that for whether your ISP is using dynamic or static IP ? Secondly figure out that the encryption method for XP, Vista and the router should all be same. That means WPA or WPA-2 personal etc.
Don’t forget to connect the LAN cable for the first use with XP otherwise your netwrok wil not work.

A bit dated my reply, but since I just saw this same IP & port on my network in wireshark, I have that address associated with LSI_MEM_mcast_discovery. I.e. When you bring up the LSI Megaraid manager it looks out over the local net for cards that are broadcasting so they can be detected by other systems running the manager. It has a TTL == 1, so it shouldn’t ever be passed beyond any system directly connected to your system — so likely safe to unblock or block.

Usage might be if you had another system with same card+software then either system might be able to manage the other..

The above presumes no malfunctioning gateways that ignore network requirements….:-)